Issue link: https://securitytechnologyexecutive.epubxp.com/i/956571
48 SECURIT Y TECHNOLOGY E XECUTIVE • Februar y/March 2018 • www. SecurityInfoWatch.com CYBERSECURIT Y until the vulnerabili- ties that allowed the systems to be attacked in the first place do not magically get mitigated with a decryption key. Left untouched, there is a high probability of reinfection, especially if the ransom is paid. Organizations that need to recover from ra n s o mwa re sh o u l d expect to be down for weeks , regardless of if the ransom is paid or not . This outage means that all busi- ness operations that depend on IT systems will need to operate in their 'downtime' mode. As an example, other organizations have experi- enced a total loss of their timekeeping systems, which impacted their ability to calculate and issue paychecks. Automated supply chain management systems had to temporarily revert back to paper and fax machines, which impacted supply lev- els because of the additional time it took to keep inventories of critical supplies. The move to paper records, especially in hospitals, significantly slows the process of documenting work and submitting claims to insurance companies for payment. This resulted in one a hospital getting $60 million behind in cash flow in less than one month. Once systems are back online, it is important to re-enter the data so that the inventory and payment pro- cessing systems can restart. How can I reduce the probability of a successful attack? The attack vectors used by the ransomware con- trollers vary, but the primary path is thought to be through emails containing links to malicious web- sites. Some emails are broadcasted to a large mailing list while other attackers use spear-phishing attacks to target specific individuals who are thought to have administrator accounts. Regardless of the vec- tor, the first line of defense is to limit the number of individuals who have administrator privileges and the ability to execute untrusted/unauthorized code. The second line of defense is to mandate that all administrators have two separate user accounts — one 'routine' for use for general day-to-day work and a separate account with administrator privileges that is only used for functions requiring elevated privileges. The account with administrator privileges should not have email access, especially if that email address is published or can be easily guessed. It also helps to educate IT staff about the importance of not publicizing their roles on social media, as this can help reduce the information available for an attacker to attempt a spear phishing attack. Any- time an administrator account is accessed remotely, a multifactor solution should be used. On the technical front, the use of next-generation firewalls that perform deep packet inspection can be used to identify domains where malicious software is stored, then it can stop the download until other measures can be deployed. This requires a lot of trust in the tools, something that requires extensive documentation and testing. Valuable Lessons Studying the history of ransomware will help orga- nizations better prepare for an attack. The most valuable lesson is that as long as humans are in the decision loop, ransomware will win the race to infect nearly all vulnerable machines that it can find. This knowledge increases the impor- tance of having a robust incident response pro- cess where those individuals monitoring systems can alert senior decision makers with authority to shut down an organization's entire network on a moment's notice. It is also important that staff have access to the technical tools that allow them to isolate networks once the decision to execute the incident response plan is given. Second, as the event unfolds, the incident response team needs to be augmented with all key stakeholders whose processes are impacted, including non-technical executives. Incidents may impact the ability to deliver services as well as create invoices for past work. Internal operations such as timekeeping and payroll may need to use manual or operate using downtime procedures. There also needs to be non-automated procedures to order supplies from vendors and suppliers that normally provide materials. Finally, a strong incident response process needs to be developed and exercised regularly in order to proactively prepare for an attack. The response speed is paramount when responding to a ransom- ware attack so exercises should be planned with minimal people knowing the agenda and timing ahead of the exercise. Ultimately, it is about planning for the worst case, and hoping for the best. About the Author: Clyde Hewitt, CISSP, CHS is v ice president of securit y strategy at CynergisTek . He brings more than 30 years of executive leadership experience in cybersecurit y to his position with CynergisTek , where his many responsibilities include being the senior securit y ad v isor and client executive, thought leader and developer of strategic direction for information and cybersecurit y ser v ices, nationwide business development lead for securit y ser v ices, and contributor to CynergisTek 's industry outreach and educational events. » ...organizations have experienced a total loss of their timekeeping systems, which impacted their ability to calculate and issue paychecks. « – Clyde Hewitt